How to query the tree to locate SSL Certificates that have expired or are close to expiring.

  • 3814248
  • 26-Feb-2007
  • 16-Mar-2012

Environment

Novell NetWare 6.5
eDirectory 8.7.3

Situation

Key Material Object is expired
SSL Certificate is expired
Can't identify which SSL Certificates are expired or soon to expire.
How to query the tree to locate SSL Certificates that have expired or are close to expiring.

Resolution

1st Need to extend schema by adding two attributes as optionals to the NDSPKI:Key Material object class
1. In ConsoleOne highlight tree and then open schema manager under tools.
2. Select Class tab and go down to NDSPKI:Key Material
3. Select add and then under "available attributes" select NDSPKI:Not After and NDSPKI:Not Before and select right arrow to move these attributes to the "add these attributes" window. Then click OK

or, in iManager under roles and tasks, choose Schema | Add attribute. In the drop down box choose NDSPKI:Key Material and then OK. Next under the "available optional attributes" select NDSPKI:Not Before and NDSPKI:Not After and move these to the "Add these optional attributes" window. Then click ok.

After this is done force a schema sync by setting dstrace = on, set dstrace = +schema, set dstrace = *ssa and then ensure that there are no errors on the directory services screen.
2nd part of the fix is an updated pki.nlm version 2.77. This is included with edir8736 update. It is located in the /security/secupd directory. It is possible to just install the secupd piece which has it's own secupd.ips file seperate from the nds installation. (although it is recommended to update edirectory as well) Once you have installed this through nwconfig, reboot the server.
Once the server comes back up, when pki loads a check will be run on all the KMO's in the container where the server object is located (server with the pki.nlm version 2.77) and add the attributes NDSPKI:Not Before and NDSPKI:Not After to all the KMO's. To get the kmo's in other containers updated, at least one server in those containers will also need to be updated. You can check this through dsbrowse, Consoleone, iManager, etc...looking at an existing SSL Certificate and verifying that the attributes, NDSPKI:Not Before and NDSPKI:Not After are present. The Not Before is the date the SSL Certifcate was created and the Not After will have the value of when the certificate expires.

Additional Information

Now that these attributes are present on the KMO's. An ldif can be ran to export all KMO's and their creation and expiration. Take note that when you add these attributes to the export criteria they have to be exact. They syntax should look like the following:

nDSPKINotAfter
nDSPKINotBefore

An example of the exported ldif would have all ssl's in an output like this:

dn: cn=SSL CertificateIP - FS1,ou=servers,o=novell
changetype: add
nDSPKINotAfter: 200611121824
nDSPKINotBefore: 200411121824
Once it is determined which certificates are expired or soon to expire, there are multiple ways to remedy the situation. On Netware pkidiag can be used. More information on using this tool can be found in tid 10095905.

iManager 2.5 or later can also be used and may be the more convenient option. Through Novell Certificate Server | Create Default Certificates task, a list of servers can be defined with the option to overwrite the chosen server's default certificates. This is also useful as it gives a summary screen breaking down by server the success or failure of each certificate creation attempt. In order to see the Create Default Certificates task the latest pki.npm will need to be installed. So the minimal version that will need to be applied is 3.1.20060109. This can be obtained at https://download.novell.com. Search for Novell iManager in the drop down box and then search for pkis on this page.

Default Certificates would be the following:

IP AG

SSL CertificateIP -

DNS AG

SSL CertificateDNS -

Additional steps may be required for for applications that import edirectory certificates into a file file format or keystore.

















Formerly known as TID# 10097442

Feedback service temporarily unavailable. For content questions or problems, please contact Support.